Over the past decade, enterprise software investments have increased significantly, and don’t show any signs of slowing down. Gartner Group recently predicted 9.5 percent growth in enterprise software spending in 2018, with another 8.4 percent growth in 2019, totaling $421 billion.
Driven by the fast pace of improvement in what software can do, it is seen as a significant catalyst for growth and as a result, R&D is shifting more and more toward developing software in every realm of enterprise technology.
The development and deployment of software at scale has matured significantly as well, specifically within enterprise and cloud-IT applications. Unfortunately, many organizations fail to correctly plan for the maintenance of software for the entire lifetime of the product it runs on.
While creating an accurate maintenance plan during software development, it is important to note that there are distinct differences between maintaining and protecting software in Critical Infrastructure (aerospace, defense, industrial, telecommunications/networking, transportation systems, etc.) and maintaining software in IT systems, and it is critical that enterprises know the difference before the planning process begins.
In the IT domain, an entire topology of infrastructure has been defined with relatively clear processes and domains of responsibility for developing and maintaining assets. For example, it is typical for hardware and operating systems to be specified and maintained by an IT department pushing updates from their platform vendors, with applications being managed by the independent software vendors (ISVs) themselves through automatic updates. In such an environment, software developers can rapidly and frequently deploy new features and ensure that bugs or security vulnerabilities are addressed through ongoing updates. That said, constant platform-wide modifications can open the door to potential new security threats with wide-reaching effects, since a common, non-customized version of software is often deployed across many scenarios.
The challenges of maintaining software in Critical Infrastructure are very different. First, responsibility for complex hardware and software content often lies with a single critical infrastructure equipment vendor who builds a somewhat fixed-function device to perform a specific task (i.e., an Electronic Control Unit for braking in a car, a high-performance CAT scanner for medical imaging, or a flight management system for controlling complex avionics equipment in an aircraft). Second, the critical nature of many applications means that a very different approach is required to develop systems that will be deployed and maintained reliably over long periods of time. The device lifecycle here is traditionally much longer than in the IT world, and support often must be tailored to the unique needs of an equipment vendor.
While these systems also contain hardware and software, they are typically very different from the IT systems described above. Some differences include:
- Hardware platforms are often entirely custom or semi-custom, optimized for some combination of power usage, performance, quality metric or price. As such, embedded systems may use a range of processor architectures, hardware accelerators or custom IO, and require software that is highly customized for that function. As a byproduct, the highly customized nature of these very specific devices also reduces the potential for any one cyberattack to have far-reaching impact beyond the targeted system.
- Software characteristics that are atypical of IT systems may be needed, such as determinism, low latency, high availability, or the ability to be certified to meet stringent regulated standards.
- Critical infrastructure is often deployed with lifespans in excess of 10+ years, even multiple decades, and is often hard to access or update.
- Reliability and performance are often more highly valued than flexibility, and as such, systems are typically more static and need to be maintained as a fixed configuration over a long period of time.
Given the strict demands and long lifespan of Critical Infrastructure systems, ongoing support and maintenance for the entire lifetime of deployed devices is essential. Unlike in the IT domain, custom approaches for supporting long-lifecycle products are often required. As it is often impractical to keep devices actively up to date with the latest releases of available software, customers may require support for older versions, or need a snapshot (or “frozen branch”) unique to their build, maintained for them over a period of time. Even if it’s possible to update a device’s software, regression testing or the complexity of product interdependencies could mean that a unique combination of updated software needs to be deployed, and that may require very specific migration support.
The cadence of how Critical Infrastructure software is developed and maintained is very different from IT systems, and requires a unique set of skills and infrastructure to ensure the health and efficiency of these applications for the long term.